The Pre-Windows 2000 Compatible Access group in our domain includes the Anonymous Login group, apparently because a former admin set it this way when upgrading from Windows 2000.
In any case, it seems to me that because of this, an anonymous user should be able to enumerate AD objects despite having "Do not allow anonymous enumeration of SAM accounts and shares" enabled, especially since supposedly that setting has no impact on domain controllers. Yet I can't seem to be able to see any group memberships or browse through ADUC using an anonymous account. Am I missing something, or do I need to use different tools to test this?
We don't WANT anonymous users to be able to enumerate SAM accounts, but it seems like they should be able to in this case.
Thanks.